Debian has issued an advisory on April 27: https://www.debian.org/security/2017/dsa-3836 Mageia 5 is also affected. Upstream has also released 1.7.1 with some important fixes, according to Freenode: https://weechat.org/news/95/20170422-Version-1.7.1/
Whiteboard: (none) => MGA5TOO
Fixed in cauldron
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)CC: (none) => mageia
CVE: (none) => CVE-2017-8073
can we update in mga5 ? i think that this could be a good idea to jum to 1.7.1 in mga5. Wdyt ?
Whiteboard: (none) => MGA5TOOVersion: 5 => CauldronCVE: CVE-2017-8073 => (none)
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5
I guess we could probably update it. openSUSE also patched it: https://lists.opensuse.org/opensuse-updates/2017-05/msg00005.html
Added patch from upstream to fix the issue. New version weechat-0.4.1-7.1.mga5 pushed to core/updates_testing for mga5.
Assignee: jani.valimaa => qa-bugsCC: (none) => jani.valimaa
Thanks Jani! Advisory: ======================== Updated weechat packages fix security vulnerability: It was discovered that weechat is prone to a buffer overflow vulnerability in the IRC plugin, allowing a remote attacker to cause a denial-of-service by sending a specially crafted filename via DCC (CVE-2017-8073). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8073 https://www.debian.org/security/2017/dsa-3836 ======================== Updated packages in core/updates_testing: ======================== weechat-0.4.1-7.1.mga5 weechat-perl-0.4.1-7.1.mga5 weechat-python-0.4.1-7.1.mga5 weechat-tcl-0.4.1-7.1.mga5 weechat-ruby-0.4.1-7.1.mga5 weechat-lua-0.4.1-7.1.mga5 weechat-charset-0.4.1-7.1.mga5 weechat-aspell-0.4.1-7.1.mga5 weechat-devel-0.4.1-7.1.mga5 from weechat-0.4.1-7.1.mga5.src.rpm
x86_64 on real hardware ------------------- #!/bin/bash urpmi weechat urpmi weechat-perl urpmi weechat-python urpmi weechat-tcl urpmi weechat-ruby urpmi weechat-lua urpmi weechat-charset urpmi weechat-aspell urpmi weechat-devel ------------------- weechat appears to be a console based irc client with a minimalist interface. $ weechat ============================================================================= WeeChat 0.4.1 (C) 2003-2013 - http://www.weechat.org/ 20:44:29 | ___ __ ______________ _____ 20:44:29 | __ | / /___________ ____/__ /_______ __ /_ 20:44:29 | __ | /| / /_ _ \ _ \ / __ __ \ __ `/ __/ 20:44:29 | __ |/ |/ / / __/ __/ /___ _ / / / /_/ // /_ 20:44:29 | ____/|__/ \___/\___/\____/ /_/ /_/\__,_/ \__/ 20:44:29 | WeeChat 0.4.1 [compiled on Jun 24 2017 09:56:50] 20:44:29 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 20:44:29 | Bar "input" created 20:44:29 | Bar "title" created 20:44:29 | Bar "status" created 20:44:29 | Bar "nicklist" created 20:44:29 | Plugins loaded: alias, aspell, charset, fifo, irc, logger, lua, perl, | python, relay, rmodifier, ruby, script, tcl, xfer [20:47] [1] [core] 1:weechat <input area> ============================================================================== Plugins are provided for various scripting languages. What you do with them I cannot guess. https://weechat.org/files/doc/stable/weechat_scripting.en.html#introduction gives some hints about writing scripts, starting with weechat_init and "registering" scripts. It does not make much sense without an introductory framework. Nickserv commands like '/lua load script.lua' or '/script load script.rb' are entered into the user input line at the bottom of the terminal. Presumably the default for the script files is the current directory. Shall prod this a bit more later.
CC: (none) => tarazed25
MGA5-32 on Asus A6000VM Xfce No installation issues. Found googling https://weechat.org/files/doc/devel/weechat_quickstart.en.html Used commands /server add magchat irc.freenode.org /set irc.server.freenode.username "My user name" /connect magchat /join #mageia-qa I have been able to post some messages, I see people joining and leaving, but unfortunately nobody took notice of my messages asking for a reply. OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Well found Herman. That would probably have taken me a week. On it later.
Updated the nine packages and invoked the weechat client. Used the setup commands listed by Herman comment 7. 14:37:24 magchat -- | NickServ (NickServ@services.): This nickname is | registered. Please choose a different nickname, or | identify via /msg NickServ identify <password>. 14:39:41 magchat -- | MSG(NickServ): identify ********* 14:39:41 magchat -- | NickServ (NickServ@services.): Invalid password for lcl. freenode always tells me that my nick is already registered and it is not lcl - that is my username. (Maybe this is where the underscore in tarazed comes from.) Proceeded under nick lcl. Joined #mageia-qa and asked for a response - kindly provided by a familiar 'face'. Looked at help list. Signed out OK. So it works operationally and applies the spurious security policy more strictly than when logging in via irssi. Bypassing the scripting side - I should live so long - and giving it the OK.
A side note on comment 9. Looking back at the NickServ responses, the security policy appears to be broken because it allowed me in under an unregistered nick with no password. ??
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA-64-OK
Whiteboard: MGA5-32-OK MGA-64-OK => MGA5-32-OK MGA5-64-OK
Ahum, I didn't put in a password either, but I entered my usual username for the IRC. But that would mean the irc server keeps our authorization open all the time (as Google does as well). In this weechat is a client AFAICS. If the user does not enter an authorization, the server should complain and reject the connection, doesn't it????
There are two things on IRC: - your username: it can be anything, you don't have to register it or identify yourself - your Freenode identity, if relevant: on Freenode (the IRC server), you can register your username to ensure that only yourself will be allowed to use it, or to at least provide a way to identify you for people who want to check your identity. Len used "lcl" as username, which is ok, and is apparently registered to another user, hence the identification failed. Apparently the registered "lcl" user did not apply the policy to prevent people from using their registered name while not online themselves, so Len could keep using it - just unidentified as far as Freenode is concerned. In Herman's case, your username was actually "tester5", so that's not your usual (potentially registered?) IRC username, and you did not have to identify yourself as it's likely not a registered username. So all is well :)
Not complete on my side: i entered the command /set irc.server.magchat.username "hviaene" and that was accepted. tester5 is the OS-username I work on from the command line. I was surprised to see that one in the chat session. When conneting with KVIrc I see hviaene, not my OS-username. But that is all of little or no importance to the use of weechat as an IRC client. I agree all is well.
Thanks to Herman & Len for the not straightforward testing. Validating, advisory from Comment 5 done.
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisoryKeywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0190.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED